The National Institute of Standards and Technology (NIST) recently published final assessment procedures for the enhanced security controls used to protect particularly sensitive forms of controlled unclassified information (CUI) from sophisticated adversaries. NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, articulates procedures and methods to assess contractor implementation of the 35 enhanced security controls found in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication can be used to conduct first, second, and third-party assessments with varying degrees of rigor based on the assessor’s desired level of assurance.

The enhanced controls and corresponding assessment procedures are expected to impact contractors handling CUI associated with critical programs and high value assets. The Department of Defense (DoD) also plans to incorporate the requirements from NIST SP 800-172 into Level 3 of the Cybersecurity Maturity Model Certification (CMMC) The assessment procedures and methods in NIST SP 800-172A are expected to inform the government-led assessments needed for DoD contractors to achieve certification at CMMC Level 3.